From owner-freebsd-isp  Mon Nov 26 18:19:21 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from smtpg.casema.net (smtpg.casema.net [195.96.96.160])
	by hub.freebsd.org (Postfix) with SMTP id 0576737B405
	for <freebsd-isp@freebsd.org>; Mon, 26 Nov 2001 18:19:09 -0800 (PST)
Received: (qmail 3367 invoked by uid 0); 27 Nov 2001 02:19:03 -0000
Received: from unknown (HELO scorn.diderius.nl) (212.64.78.6)
  by smtpg.casema.net with SMTP; 27 Nov 2001 02:19:03 -0000
Received: from parallax.diderius.nl (parallax.diderius.nl [172.18.4.1])
	by scorn.diderius.nl (8.11.2/8.11.2) with ESMTP id fAR2I5N01432
	for <freebsd-isp@freebsd.org>; Tue, 27 Nov 2001 03:18:05 +0100
Received: from 172.19.3.10 (silver.ftx.diderius.nl [172.19.3.10])
	by parallax.diderius.nl (8.11.3/8.11.3) with ESMTP id fAR2J0l00657
	for <freebsd-isp@freebsd.org>; Tue, 27 Nov 2001 03:19:01 +0100 (CET)
	(envelope-from walter@binity.com)
Date: Tue, 27 Nov 2001 03:17:57 +0100
From: Walter Hop <walter@binity.com>
X-Mailer: The Bat! (v1.53d) Educational
X-Priority: 3 (Normal)
Message-ID: <11525977353.20011127031757@binity.com>
To: FreeBSD ISP <freebsd-isp@freebsd.org>
Subject: Firewalling a CIFS fileserver from the evil world.
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

Hi all,

I've been trying to firewall some Samba fileservers off from a LAN while
retaining (only) CIFS traffic. As I have found some old hardware that can
function as a small time gateway, I'd like to put the fileservers on a
separate Ethernet.

.--------.
| samba1 |-----.
`--------'     |                 .---[ windows workstation ]
   .--------.  |   .---------.   +-- [ windows workstation ]
   | samba2 |--+---| gateway |---+-  [ windows workstation ]
   `--------'      `---------'   +-- .....
                                 |
                              .------.
                              | adsl |--/.
                              `------'

(The samba* and gateway are FreeBSD boxes)
                                 
I would like the Samba fileservers to be only reachable via the CIFS
protocol (they should be able to query other boxes too) and deny any
other traffic, and I wonder what ipfw rules I could inject into the
gateway so the samba servers have some sense of "physical" security.

Is there anybody who has a ipfw-ruleset that allows (nothing but) CIFS
traffic, or can point me in the direction of a good description of the
CIFS protocol so I can make a better attempt? I guess it has been done
before, but could not find anything useful on the web...

Thanks in advance!
w.

-- 
 Walter Hop <walter@binity.com>
 Updated contact information: http://www.binity.com/~walter/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message